You’ve probably heard that JavaScript is dangerous. Well, that’s partly correct. JavaScript can be dangerous if the proper precautions aren’t taken. It can be used to view or steal personal data without you even realizing that it’s happening. And since JavaScript is so ubiquitous across the web, we’re all vulnerable.

The Benefits Of JavaScript

First things first, JavaScript is a good thing. According to W3Techs, approximately 88.1% of all websites use JavaScript in one way or another. Most of the big name sites — such as Amazon and YouTube — would be nowhere near as useful if the Internet was a JavaScript-free zone.

But as we’ll soon see, JavaScript is not perfect. It can be abused, and that abuse leads to scenarios that make it possible to snoop on your Internet activity and violate your privacy.

One common yet misguided piece of advice is to disable JavaScript entirely but we don’t recommend it. You’d lose out on a lot of awesome web functionality, such as the “infinite scrolling” feature that exists on many blogs, social networks, and news sites.

But more so, some browser exploits are still possible even if you disable JavaScript. Thus, disabling JavaScript due of security concerns is like wearing a bubble suit every time you go outside because you’re afraid of getting hurt. It won’t actually protect you from much, but it will make your life miserable.

Snooping The Words You Type

In July 2012, a pair of researchers sampled data from 5 million Facebook users in America and the United Kingdom. What were they looking for? Self-censorship. More specifically, they wanted to know how often users would start writing a post but end up deleting it before it was actually posted.

They did this by embedding a bit of JavaScript that tracked the textboxes where users could make status updates, write wall comments, etc. The researchers made it clear that they only recorded “the presence or absence of text entered” rather than “keystrokes or content,” but the implication is clear.

It was possible to track keystrokes and content. They just chose not to.

The notion is a scary one. A simple chunk of embedded JavaScript is all that’s needed to record any kind of activity on a webpage — even if you don’t actually submit anything! Web scrolling, mouse movements, keystrokes: all of it can be tracked and recorded against your will or knowledge.

Cookies are persistent, meaning they continue to exist even after you leave the webpage or close your browser (unless they expire or you delete them manually). Do you see the growing problem? If a cookie persists from webpage to webpage, it’s possible for a company to see which websites you visit.

This is best explained with an example: social share buttons. Consider the Facebook Like button, which uses JavaScript to perform its action. When your browser loads the page, it has to load the button. Loading the button means making a request to Facebook for the necessary JavaScript file. That request includes data like your IP address, the webpage you’re on, any Facebook cookies on your system, etc.

Just to be clear, you don’t need to click the button for it to track you. The act of loading is enough for these share widgets to gather data on you.

Malicious Code Injection

One of the most insidious uses of JavaScript occurs in the form of cross-site scripting (XSS). Simply put, XSS is a vulnerability that allows hackers to embed malicious JavaScript code into an otherwise legitimate website, which is ultimately executed in the browser of a user who visits the site.

And then there’s something called a cross-site request forgery (CSRF), which is the inverse of an XSS. This kind of malicious JavaScript code can exploit a user’s browser, cookies, and security permissions in order to perform actions on a separate website.

NoScript for Firefox is one of the best things you can do to protect your PC (but it's no substitute for antivirus!) I only whitelist the sites I trust, including the third-party scripts like jQuery that so many sites load.
ScriptSafe for Chromium-based browsers is a good equivalent; I don't know of a similar addon for IE...

I use the Noscript plugin for Firefox and middle-click the icon until the functions I require are loaded -- like the Disqus comments function, for example. I really miss the simplicity of the web circa 15 years ago. Now, I have to install a dozen plug-ins to make things bearable and semi-secure/private.

There are some who think the concept of NoScript is unethical but it's hard to deny that it offers something that many people find valuable. Also, that complexity you describe is one reason why some people say that JavaScript is the worst thing to happen to the Internet. The 90s was such a simple decade on the web, wasn't it? :P

I notice a lot of websites detect the NoScript plugin, then, go on to provide a sane alternative to the overcomplicated version which would normally get loaded!
Yes, the 90's web was a far simpler thing to navigate - anyone could build a respectable website using only Notepad, or Frontpage!